Part of our process in the cleaning of an infected website is determining how the website was infected so we can create a security plan to prevent the website from being infected again.

Many of these infected WordPress websites were “hacked” by stolen login credentials – yes, the WordPress username and password.

How did we find this?

Our process includes log file analysis. We started seeing traffic to the ToolsPack.php file around the same time the files were infected. Closer examination of that file revealed the code listed above.

Some Google searches showed that while the plugin appeared to be marketed as legitimate, it was not.

Further analysis of the datetime stamp on ToolsPack folder and the log files did not show any correlation. In talking with the website owners we had them run virus scans on their computers and everyone of them with the ToolsPack plugin had a virus or trojan on them. This included Apple’s Mac.

Yes, the hackers are infected computers, both PCs and Macs with password stealing trojans. These password stealing trojans are stealing all passwords.

We have worked on many hosting accounts that had FTP accounts added to them. The hackers stole the hosting account username and password, logged in and created their own FTP accounts – with strong passwords of course.

Website security is a blended partnership between WeWatchYourWebsite and you. We can watch and update and protect your website, but if the hackers are logging in as you, we cannot prevent that.

Strong passwords, renaming the admin account and all the security related plugins would not prevent this type of attack. You may be alerted to the new plugin being installed, but by then, your account has already been compromised.

We suggest you run a full virus scan on your computer, yes even on your Mac, at least once a week. Be certain that the signatures are updated every day as well.

If you assistance in recovering from this infection, please contact me directly at: traef@wewatchyourwebsite.com or by phone at: (847)728-0214.

The ProFTPD Project team is sorry to announce that the Project’s main FTP server, as well as all of the mirror servers, have carried compromised versions of the ProFTPD 1.3.3c source code, from the November 28 2010 to December 2 2010. All users who run versions of ProFTPD which have been downloaded and compiled in this time window are strongly advised to check their systems for security compromises and install unmodified versions of ProFTPD.

Actually the site was: search.property.telegraph.co.uk and only the usernames and passwords of people who login to the site were exposed. As always, often times people use the same username and password for a variety of logins so an incident like this could grow bigger than just having someone post comments using a “hacked” username and password.

Remediation and Preventative Measures: Same as for all SQLi attacks – properly sanitizing all data submitted to a SQL database.